|
| 1 | +--- |
| 2 | +title: Create a workflow with elevated permissions by using the SharePoint Workflow platform. Guidance for sites that enable workflow after November 7 2024. |
| 3 | +description: Create SharePoint workflows that access objects in SharePoint that require elevated permissions. These solutions grant permissions to the workflow app and wrap actions with the App Step. |
| 4 | +ms.date: 11/04/2024 |
| 5 | +ms.assetid: 4656f6a0-36fd-4b7d-898e-8cd4bdbbda57 |
| 6 | +ms.localizationpriority: high |
| 7 | +--- |
| 8 | + |
| 9 | +# Create a workflow with elevated permissions by using the SharePoint Workflow platform |
| 10 | + |
| 11 | +This article describes how to create SharePoint workflows that access objects in SharePoint that require elevated permissions. These solutions use two features: granting permissions to the workflow app and wrapping actions with the App Step. |
| 12 | + |
| 13 | +> [!NOTE] |
| 14 | +> SharePoint 2013 workflow has been deprecated since April 2023 and will be turned off for new tenants as of April 2, 2024. It will be removed from existing tenants and will be fully retired as of April 2, 2026. If you’re using SharePoint 2013 workflow, we recommend migrating to Power Automate or other supported solutions. For more info, see [SharePoint 2013 workflow retirement in Microsoft 365](https://aka.ms/sp-workflows-2013support). |
| 15 | +> SharePoint 2010 workflows have been retired since August 1, 2020 for new tenants and removed from existing tenants on November 1, 2020. If you’re using SharePoint 2010 workflows, we recommend migrating to Power Automate or other supported solutions. For more info, see [SharePoint 2010 workflow retirement](https://support.microsoft.com/office/sharepoint-2010-workflow-retirement-1ca3fff8-9985-410a-85aa-8120f626965f). |
| 16 | +
|
| 17 | +> [!IMPORTANT] |
| 18 | +> The scope of this article is when you want to use workflows with elevated permissions on sites that did not yet have workflow enabled on November 7, 2024. If your sites had workflow enabled before November 7, 2024, then follow [this guidance](create-a-workflow-with-elevated-permissions-by-using-the-sharepoint-workflo.md). |
| 19 | +
|
| 20 | +To create a workflow with elevated permissions follow these steps: |
| 21 | + |
| 22 | +1. Allow the workflow to use add-in permissions. |
| 23 | +1. Have a SharePoint tenant admin do a *one-time update of the workflow setup to allow application permissions being used and set the required permissions. |
| 24 | +1. Develop the workflow to wrap actions inside an App Step. |
| 25 | + |
| 26 | +## Allow a workflow to use add-in permissions on a SharePoint site |
| 27 | + |
| 28 | +The first step is to allow the workflow to use add-in permissions. You configure a workflow to use add-in permissions on the **Site settings** page of the SharePoint site where the workflow runs. The following procedure configures the SharePoint site to allow the workflow to use add-in permissions. |
| 29 | + |
| 30 | +> [!IMPORTANT] |
| 31 | +> The procedure must be completed by a user that has **Site Administrator** permissions. |
| 32 | +
|
| 33 | +### To allow workflow to use add-in permissions |
| 34 | + |
| 35 | +1. Select the **Settings** icon as shown in the figure to open the **Site settings** page. |
| 36 | + |
| 37 | +  |
| 38 | + |
| 39 | +1. Go to **Site settings**. |
| 40 | +1. In the **Site Actions** section, select **Manage site features**. |
| 41 | +1. Locate the feature called **Workflows can use app permissions**, as shown in the figure, and then select **Activate**. |
| 42 | + |
| 43 | + > [!WARNING] |
| 44 | + > This feature will not activate unless you have properly configured the SharePoint Workflow platform and SharePoint Add-ins. |
| 45 | +
|
| 46 | +  |
| 47 | + |
| 48 | +## Grant write permission to a workflow |
| 49 | + |
| 50 | +For the workflow to function properly, it must be granted full control on the site. The following procedure grants full control permission to the workflow. |
| 51 | + |
| 52 | +> [!IMPORTANT] |
| 53 | +> The procedure must be completed by a user that is **SharePoint tenant administrator** permissions. The workflow must already be published to the SharePoint site. |
| 54 | +
|
| 55 | +### To grant write permission to a workflow |
| 56 | + |
| 57 | +1. Select the **Settings** icon. |
| 58 | + |
| 59 | +  |
| 60 | + |
| 61 | +1. Go to **Site settings**. |
| 62 | +1. In the **Users and Permissions** section, select **Site app permissions**. |
| 63 | + |
| 64 | + > [!IMPORTANT] |
| 65 | + > In SharePoint Online, select **Site collection app permissions**. This option is only visible to **Site Collection Administrators**. |
| 66 | +
|
| 67 | +1. Copy the **client** section of the **App Identifier**. This is the identifier between the last "|" and the "@" sign, as shown in the figure. |
| 68 | + |
| 69 | +  |
| 70 | + |
| 71 | +1. Go to the **Grant permission to an app** page **as SharePoint tenant administrator**. This must be done by browsing to the `appinv.aspx` page of the tenant. |
| 72 | + |
| 73 | + Example: `http://{your tenant}-admin.sharepoint.com/_layouts/15/appinv.aspx`. |
| 74 | + |
| 75 | + > [!IMPORTANT] |
| 76 | + > The 'app' in this step refers to the tenant level workflow app. The tenant level Workflow app will have app-only access to all new sites where workflow is enabled, and the Workflow app is installed. |
| 77 | +
|
| 78 | + For more information about setting up a workflow, see the [Blog article from Sympraxis Consulting: Looping Through Content in a SharePoint Site Workflow](http://sympmarc.com/series/looping-through-content-in-a-sharepoint-2013-site-workflow/) |
| 79 | + |
| 80 | +1. Paste the client ID in the **App Id** field, and then select **Lookup**, as shown in the previous figure. |
| 81 | +1. Paste the following code in the **Permission Request XML** field to update the default permission to allow app-only. |
| 82 | + |
| 83 | + ```XML |
| 84 | + <AppPermissionRequests AllowAppOnlyPolicy="true"> |
| 85 | + <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Write" /> |
| 86 | + </AppPermissionRequests> |
| 87 | + ``` |
| 88 | + |
| 89 | + > [!WARNING] |
| 90 | + > There are no placeholders in the **Scope** value. It is a literal value. Enter it exactly as it appears here. |
| 91 | + |
| 92 | + The following figure shows an example. |
| 93 | + |
| 94 | +  |
| 95 | + |
| 96 | +1. Select **Create**. |
| 97 | +1. You are then asked to trust the workflow add-in, as shown in the following figure. Select **Trust It**. |
| 98 | + |
| 99 | +## Wrap actions inside an App Step |
| 100 | + |
| 101 | +Finally, you need to wrap the workflow actions inside an App Step. The following procedure wraps a **Send an Email** action inside an App Step. The workflow in this example sends an acknowledgement email message from a custom list. |
| 102 | + |
| 103 | +### To wrap actions inside an App Step |
| 104 | + |
| 105 | +1. Open the app catalog site in SharePoint Designer. |
| 106 | +1. Create a new Custom List on which to run the workflow. In this example, the list name is **App Demo**. |
| 107 | +1. Select **Workflows** in the navigation window. |
| 108 | +1. Create a new **List Workflow** for the **App Demo** list, as shown in the figure. |
| 109 | + |
| 110 | +  |
| 111 | + |
| 112 | +1. Insert an **App Step**, as shown in the figure. |
| 113 | + |
| 114 | +  |
| 115 | + |
| 116 | +1. Insert a **Send an Email** action in the **App Step**. |
| 117 | +1. Select the **Address book** button. In the **To** field, select **Workflow Lookup for a User**, and then select **Add** as shown in the figure. |
| 118 | + |
| 119 | +  |
| 120 | + |
| 121 | +1. Enter the **Created By** field as the lookup value, as shown in the figure. |
| 122 | + |
| 123 | +  |
| 124 | + |
| 125 | +1. Enter **Email** from the **App Demo** list in the email message body. |
| 126 | +1. Select **OK** to return to the workflow. The completed workflow is shown in the figure. |
| 127 | + |
| 128 | +  |
| 129 | + |
| 130 | +1. Select the **Workflow Settings** icon in the ribbon, as shown in the figure. |
| 131 | + |
| 132 | +  |
| 133 | + |
| 134 | +1. Clear the check box next to **Automatically update the workflow status to the current stage name**, and then select **Publish**. |
| 135 | + |
| 136 | +  |
| 137 | + |
| 138 | +## What are the implications of enabling app-only |
| 139 | + |
| 140 | +Enabling app-only workflows on a new site doesn’t guarantee app-only access to just that site. The tenant level Workflow app will have app-only access to all new sites where workflow is enabled, and the Workflow app is installed. If a tenant level permission is granted to this app, the Workflow app will be able to access tenant level resources. |
| 141 | + |
| 142 | +> [!Important] |
| 143 | +> For the above reasons, Microsoft does not recommend allowing app-only access, Tenant admins should weigh the risks of allowing app-only access within their tenancy. |
| 144 | + |
| 145 | +## Deletion of workflow principals |
| 146 | + |
| 147 | +> [!Important] |
| 148 | +> If the workflow principals (as listed via `/_layouts/15/appprincipals.aspx` or via Microsoft Entra admin center) are deleted, then they need to be restored within 30 days. |
| 149 | +> |
| 150 | +> - When the deleted principal was for a site that was configured to use SharePoint 2013 workflow before November 7th , that will break workflows running for that site |
| 151 | +> - When the deleted principal was the tenant level workflow app, this will break workflows running in all sites that were configured for workflow after November 7th, 2024 |
| 152 | + |
| 153 | +It’s critical to restore the Service Principal from the recycle bin within 30 days. If the restore does not happen during that period of time, workflows will be broken. |
| 154 | + |
| 155 | +### How to restore deleted Service Principals? |
| 156 | + |
| 157 | +Currently, service principals can be listed, viewed, hard deleted, or restored via the deletedItems Microsoft Graph API. To restore applications using Microsoft Graph, see [Restore deleted item - Microsoft Graph v1.0](https://learn.microsoft.com/en-us/graph/api/directory-deleteditems-restore?tabs=http). |
0 commit comments